cm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 12 days agoUh oh, somebody's not following best practices, that's a paddlinlemmy.worldimagemessage-square81linkfedilinkarrow-up1535arrow-down120
arrow-up1515arrow-down1imageUh oh, somebody's not following best practices, that's a paddlinlemmy.worldcm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 12 days agomessage-square81linkfedilink
minus-squareturmacar@lemmy.worldlinkfedilinkarrow-up3arrow-down1·12 days agoThe hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
minus-squareVigge93@lemmy.worldlinkfedilinkarrow-up11·12 days agoThat would be an extremely bad idea tho, because it would allow a malicious attacker to Try random usernames, and if the website returns a hash they know that user exists Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server Username/password validation should happen entirely server-side, with as little information as possible provided to the client
minus-squareaesthelete@lemmy.worldlinkfedilinkarrow-up3·12 days ago Username/password validation should happen entirely server-side, with as little information as possible provided to the client 💯 It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
minus-squaretestfactor@lemmy.worldlinkfedilinkarrow-up6·12 days agoSeems like a great way for me to harvest a bunch of hashes to pull down to my GPU rig and crack offline.
The hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
Seems like a great way for me to harvest a bunch of hashes to pull down to my GPU rig and crack offline.